Hi, I have added a sample demonstrating how to integration spring security, however it seems you already figured most of it out. Anyway if its helpful there is the following code:
Package in both main and test is: com.pellcorp.server.security And the interceptor is com.pellcorp.server.interceptor.SecurityContextAuthenticationInterceptor The relevant spring context is referenced in the test case. https://github.com/pellcorp/cxf/tree/master/JavaFirst On Fri, Apr 12, 2013 at 11:01 PM, Julio Carlos Barrera Juez < [email protected]> wrote: > I have achieved some goals. I have attached two interceptors to my JAX-RS > server and it worked. I copied a interceptor from Internet and modified it, > the result is: > > public class CXFSecurityContextProviderInterceptor extends > AbstractPhaseInterceptor<Message> { > > public CXFSecurityContextProviderInterceptor() { > super(Phase.RECEIVE); > } > > public void handleMessage(Message message) throws Fault { > final Authentication authentication = > message.getExchange().get(Authentication.class); > if (authentication != null && authentication.isAuthenticated()) { > message.put(SecurityContext.class, new SecurityContext() { > public Principal getUserPrincipal() { > return authentication; > } > > public boolean isUserInRole(String role) { > Collection<GrantedAuthority> authorities = > authentication.getAuthorities(); > if (authorities != null) { > for (GrantedAuthority authority : authorities) { > if (role.equals(authority.getAuthority())) { > return true; > } > } > } > return false; > } > }); > } > } > } > > Now I realized that 'message' in this case has not an 'Authentication' > class attached in the 'Exchange' attribute of the message. I have read that > I need to add a filter that fulfils this field. I tried to find information > and I'm continuing trying it, but I have not found a solution yet. > > It seems so difficult to link Spring Security configuration with CXF!! > > This is my simple Spring Security configuration: > > <!-- Spring Security --> > <security:global-method-security secured-annotations="enabled" /> > > <security:http use-expressions="true"> > <security:intercept-url pattern="/**" access="ROLE_ADMIN" /> > <security:http-basic /> > </security:http> > > <security:authentication-manager alias="authenticationManager"> > <security:authentication-provider> > <security:user-service> > <security:user name="admin" password="admin" > authorities="ROLE_ADMIN" /> > </security:user-service> > </security:authentication-provider> > </security:authentication-manager> > > On 10 April 2013 23:33, Jason Pell <[email protected]> wrote: > > > As long as you create a spring SecurityContext in cxf interceptor and add > > it to the spring security holder not sure how that works with jaxrs but > in > > jaxws I just add a interceptor after authenticating. > > > > Then you can use the acl stuff as Samuel suggested > > On Apr 11, 2013 4:02 AM, "Samuel Quintana" <[email protected]> wrote: > > > > > I'm not sure but you can use Spring Security ACL, in this case you need > > > filter at classes level, or interfaces from wouy SW. > > > > > > This post< > > > > > > http://stackoverflow.com/questions/7481869/spring-security-how-acl-grants-permissions > > > >can > > > help you. > > > > > > Regards. > > > > > > > > > 2013/4/10 Sergey Beryozkin <[email protected]> > > > > > > > Hi, I'm not sure you can link it without having a web application, > but > > > > only an embedded Jetty server. > > > > I guess you may want to ask on Spring Security forums how to do, if > you > > > > find out something new, let us know please :-) > > > > Sergey > > > > > > > > On 10/04/13 17:27, Julio Carlos Barrera Juez wrote: > > > > > > > >> I am able to attach a filter in a CXF Servlet in a Web Application > > using > > > >> configuration stored in /WEB-INF/web.xml: > > > >> > > > >> ... > > > >> > > > >> <filter> > > > >> <filter-name>**springSecurityFilterChain</**filter-name> > > > >> > > > >> <filter-class>org.**springframework.web.filter.** > > > >> DelegatingFilterProxy</filter-**class> > > > >> </filter> > > > >> > > > >> <filter-mapping> > > > >> <filter-name>**springSecurityFilterChain</**filter-name> > > > >> <url-pattern>/*</url-pattern> > > > >> </filter-mapping> > > > >> > > > >> ... > > > >> > > > >> It allows me to add Spring Security to CXF REST Web Services. > > > >> > > > >> I want to do exactly the same behaviour but in an standalone CXF > > server, > > > >> not in a Web Application (no web.xml at all!). I'm using Spring to > > > >> configure my CXF server: > > > >> > > > >> ... > > > >> > > > >> <jaxrs:server id="helloService" address="/hello"> > > > >> <jaxrs:serviceBeans> > > > >> <ref bean="serviceBean" /> > > > >> </jaxrs:serviceBeans> > > > >> </jaxrs:server> > > > >> <bean id="serviceBean" class="sec.Hello" /> > > > >> > > > >> ... > > > >> > > > >> I don't know how to hook Spring Security to my CXF server. I have > not > > > >> found > > > >> any working example or documentation about linking Spring Security > and > > > >> CXF. > > > >> > > > >> > > > > > > > > > > > > > >
